Firewall Wizards mailing list archives

Re: Firewall best practices

From: Dave Piscitello <dave () corecom com>
Date: Wed, 28 Apr 2010 09:13:56 -0400

Marcus,

The problem isn't exclusively that SSL is MITMable: it's (broadly) thelack of or limited clue when assessing risk. While SSL may be in yourterms crappy security, you can use it effectively enough so that youaren't the low hanging fruit, and today, there is so much low hangingfruit, effective security is pretty much reduced to creating theperception that someone else is an easier target.

For example, in many scenarios where SSL is terminated at the firewall,the firewall is the trusted party identified by the server certificate.So the risk of trusting "the firewall" varies according to deployment.Thus, if "the firewall" were an adapter on the emerchant/efinance serverhardware or a blade in a chassis also hosting the emerchant/efinanceserver, risk will be entirely different from "the firewall" being anappliance several LAN hops away from the server, several countries awayin the same virtual/cloud infrastructure, or sitting on a shelf behind ateller at a bank.

Some folks actually consider these factors. In many cases they raisethemselves above the low hanging fruit. But that's pretty much wherethe majority of "security vision" stops or stumbles. I'll give twoexamples of why this is "fail". I'm sure others can chime in otherequally demoralizing examples...

1) Folks mostly consider server side infrastructure security when theydo risk and much of the badness occurs in clients. Man in the browsermalware like Zeus is much more of a problem than SSL MITMs and it's amuch easier attack. Threats of this sort are trivialized in riskassessments that naively mandate desktop software security andautomating patches.

2) Many of the purportedly smarter folks use consumer-orientedregistrars or ISPs for domain registration, DNS hosting, and use dirtcheap certificates that aren't worth the electrons you'd need totransmit them. These are almost *never* considered in risk assessments.

Sorry for the ramble. But here's a homework assignment. Do a "search" on"bank", then check WHOIS on the domains of a random set of financialinstitutions returned in the search and you'll find a surprising numberof banks who register domain names through dirt cheap registrars(hehe... check your own domains). Look at the client lock status ofthese registered domains and you'll see most are vulnerable; worse, askthe IT folks at these companies and few can tell you what securitymeasures the registrars implement and even fewer know how to lock domainnames so they can't be deleted or transferred, or so that their DNSconfigurations can't be altered.



Marcus J. Ranum wrote:

Harrell, Matthew wrote:

This then allows the firewall to scan the data in the packets[...]


I have always been kind of mind-boggled that The Internet makes
abundant use of such crappy security that it's so trivially
susceptible to MITM attacks. And it boggles me further that many
technologists invest in technology for doing exactly this, given
that the expected reaction (years ago!) should have been "time
to fix SSL!" not "oh, cool! a 'secure' socket layer that is
trivially MITMable! how convenient!" If there's anything that
gives us a real indication of where security sits on the trade-off
scale between "nothing at all" and "utter crap" it's the SSL
situation. I guess that having crypto that sucks so badly that
it's breakable is easier than having to actually ask the question,
"if we are 'concerned about data leakage' why are we allowing
outbound encrypted tunnels?"

In Marcus-land the way we'd do it is have crypto that didn't
suck, and firewall rules that permitted outgoing crypto only
to (say, if online banking was an authorized activity during
office hours) a set of supported sites. Yeah, yeah, I know,
Marcus-land isn't a real place...

mjr.

Attachment: dave.vcf
Description:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall best practices, (continued)
- - - Re: Firewall best practices Marcus J. Ranum (Apr 26)
    - Re: Firewall best practices Carson Gaspar (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices david (Apr 26)
    - Re: Firewall best practices John Morrison (Apr 27)
    - Re: Firewall best practices Harrell, Matthew (Apr 27)
    - Re: Firewall best practices Marcus J. Ranum (Apr 27)
    - Re: Firewall best practices Paul D. Robertson (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 30)
    - Re: Firewall best practices Andre Lima (Apr 30)
    - Re: Firewall best practices Dave Piscitello (Apr 28)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices Nate Itkin (Apr 27)
    - Re: Firewall best practices Dave Piscitello (Apr 27)
    - Re: Firewall best practices Carson Gaspar (Apr 27)
    - Re: Firewall best practices Fetch, Brandon (Apr 27)
    - Re: Firewall best practices lordchariot (Apr 28)
    - Re: Firewall best practices Bruce B. Platt (Apr 30)
    - Re: Firewall best practices Cian Brennan (Apr 28)
    - Re: Firewall best practices Fetch, Brandon (Apr 28)
    - Re: Firewall best practices Mathew Want (Apr 30)

(Thread continues...)